Tuesday, July 02, 2002

simple distributed security infrastructure

the best alternative to X.509 PKI that never really went anywhere is still Rivest/Ellison's Simple Distributed Security Infrastructure(SDSI).   The specs here lay out what I think are the best-to-date set of design goals.   If you updated this for XML, you might really be on to something :).


11:49:00 PM    

Web services security and XML pixie dust. It's an article of faith right now in the web services realm that security is the major roadblock. We're all sitting around drumming our fingers on the table, the story line goes, just waiting for consensus to emerge from that cloud of dust the standards-makers are kicking up. ... [Jon's Radio]

hehe.    if only someone would design a security standard that actually fit the requirements of the job instead of some overly formal, unnatural model of how trust translates into bits. 


11:35:54 PM    

the truth about security

>>>Application and data security has often been marked by a "it's good enough" lowest common denominator approach. My pragmatic bone tells me that web services will be the same—I doubt most organizations will wait for or agree upon the perfect solution. [Brent Sleeper: Web Services] <<<

The truth about security is that some amount of risk is inevitable, and more importantly, acceptable.  it comes down to a cost/benefit question -- how much more risk have I alleviated by spending the money to implement and maintain this level of security.   I think that the break even comes much earlier (at a much lower level of security) than most security experts and industry pundits are willing to acknowledge.  

I think this is why PKI has never gone anywhere -- ridiculously expensive to setup and maintain for the increment in real security you get relative to simpler and less expensive things. 

There is the risk that we're essentially building on a flood plain -- that we haven't seen the real threats yet that these increments in security would protect us against.  But, I wouldn't bet on it.


11:18:26 PM    

Coursey on Palladium [Slashdot: News for nerds, stuff that matters] Man, is David Coursey lame. Weak reporting, worse forecasting, and now this thing which is just an excuse for getting scooped by Stephen Levy. Sorry, just had to get that off my chest.
10:52:01 AM    


© Copyright 2003 Pete Dapkus .
Last update: 8/16/2003; 7:26:51 PM .

Click here to visit the Radio UserLand website. Valid CSS! Subscribe to "/dev/" in Radio UserLand. Click to see the XML version of this web page. Click here to send an email to the editor of this weblog.